iDefense: Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process. The vulnerability exists within the code responsible for parsing PE files packed with the MEW packer. During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data.
Andrej, is 0.92 ready for stabling?
Portage 2.1.3.19 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r1 i686) ================================================================= System uname: 2.6.23-gentoo-r1 i686 AMD Athlon(tm) XP 2400+ Timestamp of tree: Wed, 19 Dec 2007 18:30:01 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.3.5-r3, 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/X11/xkb /usr/share/config /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-Os -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://192.168.0.2:66/ http://gentoo.intergenia.de/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi aiglx alsa amr apache2 arts asf berkdb bitmap-fonts bzip2 bzlib cairo cdb cdparanoia cdr cli cracklib crypt css cups curl dbus dga directfb divx4linux dri dts dv dvd dvdr dvdread eds emboss encode ethereal evo extrafilters fbcon ffmpeg firefox flac fortran ftp gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv icq imagemagick isdnlog java jikes jpeg kerberos lame lzo mad midi mikmod mime mjpeg mmx mmxext motif mp3 mpeg mtrr mudflap musepack ncurses network nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openmp oss pam pcre pdf perl png pppd print python qt3 qt3support qt4 quicktime readline real reflection samba sdl session snmp sockets spell spl sse ssl svg svga tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb userlocales vcd vorbis win32codecs x264 x86 xine xinerama xml xorg xprint xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY 0.92 works fine here.
Created attachment 138927 [details, diff] clamav-0.91.2-CVE-2007-5759.patch
Created attachment 138929 [details, diff] clamav-0.91.2-CVE-2007-6336.patch
Created attachment 138930 [details, diff] clamav-0.91.2-CVE-2007-6337.patch
There were further vulnerabilities fixed in this release: CVE-2007-6336: It was discovered that on off-by-one in the MS-ZIP decompression code may lead to the execution of arbitrary code. CVE-2007-6337: fix bzlib bug (aCaB) ??? I am not sure about the contents of this yet. <Ticho> well, both klamav and Mail::ClamAV use some clamav internal functions which shouldn't really be used outside of clamav, and those changed in this release Ticho, can you please bump 0.91.2 with the attached patches? Thanks.
0.91.2-r1 committed, with these patches applied. Thanks!
Arches, please test and mark stable app-antivirus/clamav-0.91.2-r1. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
ppc and ppc64 stable
x86 stable
Stable for sparc.
Stable for HPPA.
alpha/ia64 stable
amd64 stable
All arches done, GLSA request filed.
GLSA 200712-20, thanks everyone.
Does not affect current (2008.0) release. Removing release.
